joernio
[Enhancement] Lombok: line numbers are for delomboked instead of original code
Describe the bug
Joern returns the wrong line number when a file contains a Java class with multiple annotations.
Steps to Reproduce
With the following sources:
package com.test.dao.db.impl;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.ObjectInputStream;
import java.util.ArrayList;
import java.util.Map;
import org.springframework.stereotype.Repository;
import lombok.extern.slf4j.Slf4j;
@Slf4j
@Repository
public class QuartzDAOImplDefault implements QuartzDAO {
private ScanData deserializeJobData(byte[] jobData) {
ByteArrayInputStream bis = new ByteArrayInputStream(jobData);
ObjectInputStream ois = new ObjectInputStream(bis);
Map<String, Object> jobDataMap = (Map<String, Object>) ois.readObject();
}
}
Joern fails to resolve the correct line number of readObject call (l19 instead of l17):
joern> cpg.call("readObject").l
val res4: List[io.shiftleft.codepropertygraph.generated.nodes.Call] = List(
Call(
argumentIndex = 2,
argumentName = None,
code = "ois.readObject()",
columnNumber = Some(value = 64),
dispatchType = "DYNAMIC_DISPATCH",
dynamicTypeHintFullName = IndexedSeq(),
lineNumber = Some(value = 19),
methodFullName = "java.io.ObjectInputStream.readObject:java.lang.Object()",
name = "readObject",
order = 2,
possibleTypes = IndexedSeq(),
signature = "java.lang.Object()",
typeFullName = "java.lang.Object"
)
)
If we remove all the annotations or keep only one of them, Joern resolves the line number properly.
Environnement: OS: Ubuntu Version: 4.0.244 openjdk version "21.0.6" 2025-01-21
The snippet with annotations isn't actually Java code - it's Lombok code. Lombok is only supported by running "delombok" before-hand to get actual Java code. That messes with the line numbers. It's unfortunate. But short of completely reimplementing all of Lombok (i.e. lomboksrc2cpg in addition to javasrc2cpg), it's the best we can do...
